LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-31-2017, 12:53 AM   #1
gemmajid
Member
 
Registered: Mar 2012
Location: Karachi
Distribution: Ubuntu, RedHat, CentOs,
Posts: 104

Rep: Reputation: Disabled
Limit retries for secured directory with .htaccess file


I'm using Ubuntu 14.04 with apache web server enabled, due to security concern i have password protected apache directory with .htaccess.

Is it possible to block too many password attempts ?


Regards,

Majid Hussain
 
Old 01-31-2017, 04:03 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,611

Rep: Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802
Quote:
Originally Posted by gemmajid View Post
I'm using Ubuntu 14.04 with apache web server enabled, due to security concern i have password protected apache directory with .htaccess.

Is it possible to block too many password attempts ?


Regards,

Majid Hussain
This is possible either using fail2ban, or the mod_security apache module.

See the following examples about their usage: fail2ban, mod_security

Regards
 
Old 01-31-2017, 05:56 AM   #3
gemmajid
Member
 
Registered: Mar 2012
Location: Karachi
Distribution: Ubuntu, RedHat, CentOs,
Posts: 104

Original Poster
Rep: Reputation: Disabled
Thank you bathory for your quick response, i had tried fail2ban but it's not working. It doesn't block any thing.
 
Old 01-31-2017, 07:16 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,611

Rep: Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802
Quote:
Originally Posted by gemmajid View Post
Thank you bathory for your quick response, i had tried fail2ban but it's not working. It doesn't block any thing.
What did you try and it's not working?
There is the "apache-auth" jail that does exactly what you want. See the example in my previous post if you need help to configure fail2ban and apache-auth in ubuntu
 
Old 01-31-2017, 07:41 AM   #5
gemmajid
Member
 
Registered: Mar 2012
Location: Karachi
Distribution: Ubuntu, RedHat, CentOs,
Posts: 104

Original Poster
Rep: Reputation: Disabled
I have followed your fail2ban example and did exactly same procedure but unfortunately it's not working, policy didn't banned my ip.

Further i have some other rules as well which are working fine.
 
Old 01-31-2017, 08:39 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,611

Rep: Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802
Quote:
Originally Posted by gemmajid View Post
I have followed your fail2ban example and did exactly same procedure but unfortunately it's not working, policy didn't banned my ip.

Further i have some other rules as well which are working fine.
Are you sure you've enabled the apache jail and ignoreip does not list your IP(s)?
?
Code:
[apache]
enabled  = true
...
ignoreip = x.x.x.x
...
And you can always check if the jail regexes work in your case, by taking a line from error_log and test it against fail2ban-regex like this:
Code:
fail2ban-regex '[Tue Jan 31 15:05:58 2017] [error] [client 127.0.0.1] user guest: authentication failure for "/test": Password Mismatch' /etc/fail2ban/filter.d/apache-auth.conf
 
Old 01-31-2017, 10:14 AM   #7
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Test it?
Code:
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
 
Old 02-01-2017, 12:21 AM   #8
gemmajid
Member
 
Registered: Mar 2012
Location: Karachi
Distribution: Ubuntu, RedHat, CentOs,
Posts: 104

Original Poster
Rep: Reputation: Disabled
I'm getting some thing like below while testing.

Quote:
Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/apache-auth.conf
Use log file : /var/log/apache2/error.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [38] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
`-

Lines: 38 lines, 0 ignored, 0 matched, 38 missed
Missed line(s): too many to print. Use --print-all-missed to print all 38 lines
 
Old 02-01-2017, 01:29 AM   #9
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,611

Rep: Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802
Quote:
Lines: 38 lines, 0 ignored, 0 matched, 38 missed
Could you post these38 lines of error.log here?
 
Old 02-01-2017, 02:02 AM   #10
gemmajid
Member
 
Registered: Mar 2012
Location: Karachi
Distribution: Ubuntu, RedHat, CentOs,
Posts: 104

Original Poster
Rep: Reputation: Disabled
Have a look

Quote:
Lines: 21 lines, 0 ignored, 0 matched, 21 missed
|- Missed line(s):
| [Wed Feb 01 11:45:14.783583 2017] [ssl:warn] [pid 19607] AH01906: TestingServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
| [Wed Feb 01 11:45:15.000331 2017] [:warn] [pid 19607] mod_wsgi: Compiled for Python/2.7.8.
| [Wed Feb 01 11:45:15.000410 2017] [:warn] [pid 19607] mod_wsgi: Runtime using Python/2.7.9.
| [Wed Feb 01 11:45:15.004018 2017] [mpm_prefork:notice] [pid 19607] AH00163: Apache/2.4.10 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.5 Python/2.7.9 configured -- resuming normal operations
| [Wed Feb 01 11:45:15.004100 2017] [core:notice] [pid 19607] AH00094: Command line: '/usr/sbin/apache2'
| [Wed Feb 01 11:48:20.539715 2017] [mpm_prefork:notice] [pid 19607] AH00169: caught SIGTERM, shutting down
| [Wed Feb 01 11:48:21.389386 2017] [ssl:warn] [pid 20182] AH01906: TestingServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
| [Wed Feb 01 11:48:22.000681 2017] [:notice] [pid 20182] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
| [Wed Feb 01 11:48:22.001087 2017] [:notice] [pid 20182] ModSecurity: APR compiled version="1.5.1-dev"; loaded version="1.5.1"
| [Wed Feb 01 11:48:22.001359 2017] [:warn] [pid 20182] ModSecurity: Loaded APR do not match with compiled!
| [Wed Feb 01 11:48:22.001375 2017] [:notice] [pid 20182] ModSecurity: PCRE compiled version="8.31 "; loaded version="8.35 2014-04-04"
| [Wed Feb 01 11:48:22.001391 2017] [:warn] [pid 20182] ModSecurity: Loaded PCRE do not match with compiled!
| [Wed Feb 01 11:48:22.001499 2017] [:notice] [pid 20182] ModSecurity: LUA compiled version="Lua 5.1"
| [Wed Feb 01 11:48:22.001520 2017] [:notice] [pid 20182] ModSecurity: LIBXML compiled version="2.9.1"
| [Wed Feb 01 11:48:22.002914 2017] [:notice] [pid 20182] ModSecurity: StatusEngine call: "2.8.0,Apache,1.5.1-dev/1.5.1,8.31/8.35 2014-04-04,Lua 5.1,2.9.1,460d391b147a8b1ea73a938993d7f2a9b93a5584"
| [Wed Feb 01 11:48:22.109494 2017] [:notice] [pid 20182] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
| [Wed Feb 01 11:48:22.165535 2017] [ssl:warn] [pid 20184] AH01906: TestingServer:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
| [Wed Feb 01 11:48:23.001110 2017] [:warn] [pid 20184] mod_wsgi: Compiled for Python/2.7.8.
| [Wed Feb 01 11:48:23.001298 2017] [:warn] [pid 20184] mod_wsgi: Runtime using Python/2.7.9.
| [Wed Feb 01 11:48:23.010172 2017] [mpm_prefork:notice] [pid 20184] AH00163: Apache/2.4.10 (Ubuntu) OpenSSL/1.0.1f mod_wsgi/3.5 Python/2.7.9 configured -- resuming normal operations
| [Wed Feb 01 11:48:23.010584 2017] [core:notice] [pid 20184] AH00094: Command line: '/usr/sbin/apache2'
 
Old 02-01-2017, 02:23 AM   #11
gemmajid
Member
 
Registered: Mar 2012
Location: Karachi
Distribution: Ubuntu, RedHat, CentOs,
Posts: 104

Original Poster
Rep: Reputation: Disabled
i assumed that attempt failure logs are not generating at error.logs file as i'm unable to view any entry there further modsecurity is enabled at my server.

modsecurity_audit.log have details of authentication attempts.
 
Old 02-01-2017, 02:57 AM   #12
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,611

Rep: Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802
Quote:
Originally Posted by gemmajid View Post
i assumed that attempt failure logs are not generating at error.logs file as i'm unable to view any entry there further modsecurity is enabled at my server.

modsecurity_audit.log have details of authentication attempts.
Failed attempts should be logged like in my post #6
Now if mod_security is logging those attempts in a different logfile, then adapt apache-auth regexes accordingly

But since you have mod_security enabled, why don't you use it to ban brute-force attacks?
 
Old 02-01-2017, 03:19 AM   #13
gemmajid
Member
 
Registered: Mar 2012
Location: Karachi
Distribution: Ubuntu, RedHat, CentOs,
Posts: 104

Original Poster
Rep: Reputation: Disabled
ok, can you guide me where to add that script which you have posted earlier.
 
Old 02-01-2017, 04:59 AM   #14
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,611

Rep: Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802Reputation: 1802
Quote:
Originally Posted by gemmajid View Post
ok, can you guide me where to add that script which you have posted earlier.
What script? You mean the mod_security example?
I think it's self explanatory. In the example the poster uses mod_security to protect /sessions
And of course the code goes into the apache config file (apache2.conf for ubuntu), or if it's for a vhost, into the vhost config (/etc/apache2/sites-available/vhost-config)
 
Old 02-01-2017, 07:08 AM   #15
gemmajid
Member
 
Registered: Mar 2012
Location: Karachi
Distribution: Ubuntu, RedHat, CentOs,
Posts: 104

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bathory View Post
What script? You mean the mod_security example?
I think it's self explanatory. In the example the poster uses mod_security to protect /sessions
And of course the code goes into the apache config file (apache2.conf for ubuntu), or if it's for a vhost, into the vhost config (/etc/apache2/sites-available/vhost-config)
I have followed the modsecurity example mentioned by you earlier, i have entered codes in vhost file as well but no success yet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
unhide directory with .htaccess file amangb Linux - Server 6 07-23-2014 05:20 AM
Kernel/driver parameter to limit (S)ATA disk bad sector read retries? Nyyr Linux - Kernel 2 11-27-2012 11:08 AM
Limit sudo to only one directory and it's subdirectories by sudoers file lcwilson Linux - Security 2 03-28-2012 04:55 PM
file size limit exeeded for NFS mounted directory rizwan.cheema Red Hat 2 11-28-2006 05:52 AM
How do I specify a memory slice limit with a .htaccess file? abefroman Linux - Software 0 09-22-2005 08:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration